Skip to content

JS: Comply with CSP no-unsafe-eval.#8864

Merged
acozzette merged 1 commit intoprotocolbuffers:masterfrom
marnixbouhuis:js-global-scope
Oct 14, 2021
Merged

JS: Comply with CSP no-unsafe-eval.#8864
acozzette merged 1 commit intoprotocolbuffers:masterfrom
marnixbouhuis:js-global-scope

Conversation

@marnixbouhuis
Copy link
Contributor

The current implementation uses Function('return this')() to get the global object. This does not work if you are using protobuf on the web and you disallow unsafe-eval with a CSP header.

This PR changes the way the global object is retrieved: it calls a function and sets this to the global object by calling it with .call(null). Then this is returned.
See: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/call#parameters

Note: this won't work when you are using js strict mode (use strict).
If running in strict mode, it will use different fallbacks (that work with CSP settings that disallow eval), if none work it will fall back to the current way of getting the global object.

This fixes:

@acozzette
Copy link

Thanks, @marnixbouhuis.

@marnixbouhuis
Copy link
Contributor Author

Thanks for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants